问题描述
有时,当服务器尝试使用 https 连接其他服务时,我一直注意到以下错误。要采取什么措施来解决这个问题。有趣的是,它只发生在少数服务器上。
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation Failed: java.security.cert.CertPathValidatorException: Algorithm constraints check Failed on signature algorithm: SHA256WithRSAEncryption
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
....
....
at com.xyz.rest.XyzService.call(XyzService.java:1239)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation Failed: java.security.cert.CertPathValidatorException: Algorithm constraints check Failed on signature algorithm: SHA256WithRSAEncryption
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186)
at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191)
at org.apache.axis.transport.http.HTTPSender.writetoSocket(HTTPSender.java:404)
at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138)
... 22 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation Failed: java.security.cert.CertPathValidatorException: Algorithm constraints check Failed on signature algorithm: SHA256WithRSAEncryption
at sun.security.validator.PKIXValidator.dovalidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.x509trustmanagerImpl.validate(x509trustmanagerImpl.java:324)
at sun.security.ssl.x509trustmanagerImpl.checkTrusted(x509trustmanagerImpl.java:229)
at sun.security.ssl.x509trustmanagerImpl.checkServerTrusted(x509trustmanagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 33 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check Failed on signature algorithm: SHA256WithRSAEncryption
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.prepareNextCertO(UnkNown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(UnkNown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.dovalidate(PKIXValidator.java:357)
... 39 more
解决方法
谢谢大家,但我找到了这个问题的答案。有一个旧版本的充气城堡jar,升级jar bcprov-jdk15on-1.58.jar后,“算法约束检查签名算法失败:SHA256WithRSAEncryption”错误不再发生。
,请检查受影响服务器中与 TLS 相关的 java 配置,SDK 使用安全属性 jdk.certpath.disabledAlgorithms 和 jdk.tls.disabledAlgorithm 在 TLS 协议协商期间禁用算法,并且可能 SHA256WithRSAEncryption已被禁用。
您可以在 Java 安装的 <install_dir>/jre/lib/security/java.security 文件中找到这些属性的值。
请考虑阅读 this 相关文章,它适用于 IBM SDK 8,但所描述的行为对于其他 SDK 版本和供应商应该相同或非常相似。
此外,在受影响的服务器中运行您的程序时,请考虑启用值为 certpath 或 all 的 java.security.debug 环境属性:
-Djava.security.debug=certpath
它将为您提供有关正在发生的事情以及 Java 为何抱怨该算法的指导和有价值的信息。